The Personal Data Protection (Amendment) Bill 2020 (the Bill) was published today for public consultation.
Key amendments proposed in the Bill include:
- Increased financial penalties for breaches of the Personal Data Protection Act (the Act) of up to 10 per cent of annual gross turnover in Singapore or S$1 million, whichever is higher.
- Mandatory data breach notification to Singapore’s Personal Data Protection Commission (the Commission) and affected individuals.
- The timeline for notifying the Commission has been tweaked to within three calendar days from the day an organisation assesses that a breach is notifiable (this was previously 72 hours).
- There will be regulations to prescribe the categories of personal data which, if compromised in a data breach, will be considered likely to result in significant harm to the individuals affected.
- The exceptions to notifying affected individuals are: (a) where remedial actions have been taken; or (b) where the personal data is subject to technological protection measures (e.g., encryption), such that the breach is unlikely to result in significant harm to the affected individuals.
- Please also refer to our earlier client alert here.
- Deemed consent will be expanded to include:
a) for contractual necessity, i.e., where data processing is reasonably necessary to perform a contract; and
b) where individuals have been notified of the purpose of the data processing and given an opportunity to opt out.
- New exceptions to consent:
a) Legitimate interests: this exception applies where the legitimate interests of the organisation and the benefit to the public (or any section thereof) together outweigh any adverse effect on the individual. This could include where data is processed for the purposes of detecting or preventing illegal activities (e.g., fraud or money laundering) or threats to physical safety and security, ensuring IT and network security, or preventing the misuse of services. Organisations must conduct a risk and impact assessment, and disclose any reliance on legitimate interests. The exception cannot be used to send direct marketing messages to individuals.
b) Business improvement: this exception applies where there is a need to: (i) carry out operational efficiency and service improvements; (ii) develop or enhance products/services; or (iii) know more about the organisation’s customers. The use of personal data must be what a reasonable person would consider appropriate in the circumstances, and the data must not be used to make a decision that is likely to have an adverse effect on any individual. This exception also applies to a group of companies, including subsidiaries within an organisation.
c) Revised research exception: this exception applies provided that, among other things: (i) the use of personal data or results of the research must not have an adverse effect on individuals; and (ii) results must not be published in a form that identifies any individual. There will also be a loosening of the restrictions on the use of personal data for research purposes without consent; for instance, the exception can apply to institutes carrying out scientific research and development, or arts and social science research, or to market research aimed at understanding potential customer segments. However, disclosure for research purposes will continue to be subject to more stringent restrictions relating to impracticality and public interest.
- New data portability rights for individuals, giving them the right to request the transmission of their data to another service provider.
An organisation’s portability obligation will only apply to:
a) user-provided data and data on user activity held in electronic form, including business contact information. This data may include third party personal data, where the request is made in the requesting individual’s personal or domestic capacity;
b) requesting individuals with an existing, direct relationship with the organisation; and
c) receiving organisations with a presence in Singapore. However, data portability could subsequently be extended to like-minded jurisdictions offering comparable protections and reciprocal arrangements.
The Commission will work with industry and sector regulators to establish and set out further requirements under regulations, including:
(i) A ‘whitelist’ of data categories to which portability applies
(ii) The technical and process details to ensure the correct data is transmitted safely to the right receiving organisation, and in a usable format.
(iii) Any relevant data porting request models. Consumers can either make the data porting request directly to the porting organisation (‘push model’) or through the receiving organisation (‘pull model’). Data porting between organisations can also take place between two organisations or through an intermediary.
(iv) Safeguards for individuals, tailored to the risks associated with the dataset under the whitelist. This could include cooling-off periods for certain datasets to provide time for a consumer to change their mind and withdraw a porting request, and the establishment of a blacklist of organisations that porting organisations may justifiably refuse to port data to.
Exceptions to the data portability obligation will be provided, similar to those for the access obligation.
Personal data that is derived by an organisation in the course of business from other personal data (“derived personal data4”’) will not be covered by the portability obligation.
Refusals of porting requests must be notified to individuals, together with the reasons for the refusal, and within a reasonable time. The Commission will have the power to review these refusals and any fees for the porting of data.
- Enhanced protection against unsolicited telemarketing and spam.
- The Spam Control Act will cover the bulk sending of commercial text messages to instant messaging accounts.
- ‘Do not call’ (DNC) provisions will prohibit the sending of specific messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software.
- Third party checkers will be required to communicate accurate DNC register results to the organisations on behalf of which they are checking the DNC register, and the checkers will be liable for DNC infringements resulting from any erroneous information provided by them.
- The DNC provisions will be enforced under the same administrative regime as the other data protection obligations in the Act, as opposed to being enforced as criminal offences.
- Express mention of “accountability” in the Bill, indicating that organisations will be expected to demonstrate compliance.
- Organisations acting on behalf of public agencies will be subject to the Bill. Currently, they are exempted.
- There will be new offences to hold individuals accountable for egregious mishandling of personal data on behalf of an organisation or public agency, namely:
a) any unauthorised disclosure of personal data that is carried out knowingly or recklessly;
b) any unauthorised use of personal data that is carried out knowingly or recklessly and results in a wrongful gain or a wrongful loss to any person; and
c) any unauthorised re-identification of anonymised data that is carried out knowingly or recklessly.
This does not include public officers, who are subject to the Public Sector (Governance) Act 2018.
- It will be an offence for a person to fail to: (i) comply with an order to appear before the Commission or an inspector of the Commission, (ii) provide a statement in relation to any investigation; or (iii) produce any document specified in a written notice.
- The implementation of the data breach management plan may be the subject of a statutory undertaking which, when coupled with mandatory breach notification, can be used by the Commission in any act of enforcement.
- The Commission will have the power to (i) approve mediation schemes; and (ii) direct complainants to resolve data protection disputes via mediation, without the need to secure the consent of both parties.
- Organisations will be required to preserve personal data requested under an access or porting request for at least 30 calendar days after rejection of the request, or until the individual has exhausted their right to apply to the Commission for reconsideration of the request or appeal to the Data Protection Appeal Committee, High Court or Court of Appeal, whichever is later.
- The scope of the business asset transaction exception in the Act will be extended to the personal data of independent contractors (e.g., Grab drivers), in addition to that of employees, customers, directors, officers and shareholders of the organisation.
These changes are driven by a need to revise Singapore’s existing data protection law to ensure it keeps pace with the evolving technological and business landscape whilst providing for effective protection of personal data in the digital economy.
The consultation closes at 5pm (Singapore time) on 28 May 2020.